Health care website passes recent security test

By By The Associated Press

WASHINGTON — Medicare's top cybersecurity official says the Obama administration's health care website recently passed

full security tests, easing her earlier concerns about vulnerabilities.

Teresa Fryer, chief information security officer at the Centers for Medicare and Medicaid Services, told Congress at a hearing

Thursday that she would now recommend full operational and security certification for the website known as HealthCare.gov.

The Medicare agency is responsible for expanding coverage to the uninsured under President Barack Obama's health care law.

Shortly before the website's disastrous

launch Oct. 1, Fryer told other top officials that she could not

recommend going live

because full security testing had not been completed. She drafted a

formal memo expressing her concerns, but never sent it,

partly because more senior officials had already determined to

proceed with additional safeguards to address the potential

risks.

"The testing was successfully completed. It had good results," Fryer told the House Oversight and Government Reform committee.

She agreed with a suggestion by Rep. Jackie Speier, D-Calif., that the system now has "a clean bill of health."

But Republicans sought to turn the focus to the administration's decision to launch the site on Oct. 1, before full security

testing was complete.

The concerns of Fryer and others were

relayed to senior levels of the department, Assistant Secretary of

Information Technology

Frank Baitman testified. He told the panel he had informed Deputy

Secretary Bill Corr, second in line after Secretary Kathleen

Sebelius. Baitman said he was not personally convinced the

security worries were a "red flag."

Officials said there have been 13 known cases in which personal information has been inadvertently disclosed or exposed to

disclosure. But there have been no successful attacks by hackers, including a group calling itself "Destroy Obamacare."

Chairman Darrell Issa, R-Calif.,

investigating the chaotic rollout of the HealthCare.gov website,

contends the administration

risked the personal information of millions of Americans in its

zeal to meet a self-imposed Oct. 1 deadline. The online federal

insurance market is the main portal to coverage under President

Barack Obama's signature program.

The panel's senior Democrat, Rep. Elijah

Cummings of Maryland, says the administration addressed the potential

security issues

through added vigilance instituted before the site went live. He

says despite initial operational problems, the site has not

been successfully hacked. Cummings says it is Republicans who are

risking the privacy of average citizens by demanding detailed

blueprints that, if leaked, would become a road map for hackers.

With "Obamacare" expected to be a polarizing issue in the midterm congressional elections, both political parties are at battle

stations. Republicans have raised security issues but have yet to produce a smoking gun.

In a closed-door deposition prior to the hearing, the top cybersecurity officer for the Health and Human Services Department

said he was concerned about potential vulnerabilities ahead of the launch.

But Kevin Charest told congressional

investigators he was unable to get answers to his questions from others

inside the department.

He concluded that the testing of the site was substandard.

"I would say that it didn't follow best practices," Charest testified a Jan. 8 deposition.

HealthCare.gov has two major components: an electronic "back room" that got full operational and security certification and

a consumer-facing "front room" that was temporarily certified Sept. 27.

The back room, known as the federal data services hub, pings government agencies to verify applicants' personal information.

It does not store data.

But the front room does. That's where

consumers in the 36 states served by the federal website create and save

their accounts.

Individual components of the front room did undergo security

testing. But the system as a whole could not be tested because

it was being worked on until late in the process — and it was also

crashing.

Charest testified that security testing

usually takes place on a fully built, stable system that represents

real-world functionality.

The path followed by HealthCare.gov was "not typical," he said. "In a perfect world, the system is completely done when you

test it."

The operational and security certification for the consumer-facing part of the website was signed by Medicare chief Marilyn

Tavenner, after security professionals in her division balked.

Despite the unusual process that administration officials followed with the website, Charest expressed cautious optimism over

the added vigilance and testing measures put in place to reduce risks.

"I have no reason to believe that these broad mitigation strategies, if followed through in detail, would not mitigate the

risk," he told the committee.